Quantified Differential Dynamic Logicfor Distributed Hybrid Systems

Andre PlatzerMay 2010

CMU-CS-10-126

School of Computer ScienceCarnegie Mellon University

Pittsburgh, PA 15213

This material is based upon work supported by the National Science Foundation under Grant Nos. CNS-0926181and CNS-0931985, by the NASA grant NNG-05GF84H, and by the ONR award N00014-10-1-0188. The views andconclusions contained in this document are those of the author and should not be interpreted as representing the officialpolicies, either expressed or implied, of any sponsoring institution or government.

Keywords: Dynamic logic, Distributed hybrid systems, Axiomatization, Theorem proving,Quantified differential equations

Abstract

We address a fundamental mismatch between the combinations of dynamics that occur in com-plex physical systems and the limited kinds of dynamics supported in analysis. Modern applica-tions combine communication, computation, and control. They may even form dynamic networks,where neither structure nor dimension stay the same while the system follows mixed discrete andcontinuous dynamics.We provide the logical foundations for closing this analytic gap. We develop a system modelfor distributed hybrid systems that combines quantified differential equations with quantified as-signments and dynamic dimensionality-changes. We introduce a dynamic logic for verifying dis-tributed hybrid systems and present a proof calculus for it. We prove that this calculus is a soundand complete axiomatization of the behavior of distributed hybrid systems relative to quantifieddifferential equations. In our calculus we have proven collision freedom in distributed car controleven when new cars may appear dynamically on the road.

1 IntroductionMany safety-critical computers are embedded in cyber-physical systems like cars [13] or aircraft[7]. How do we know that their designs will work as intended? Ensuring correct functioning ofcyber-physical systems is among the most challenging and most important problems in computerscience, mathematics, and engineering. But the ability to analyze and understand global systembehavior is the key to designing smart and reliable control.

Today, there is a fundamental mismatch between the actual combinations of dynamics thatoccur in applications and the restricted kinds of dynamics supported in analysis. Safety-criticalsystems in automotive, aviation, railway, and power grids combine communication, computation,and control. Combining computation and control leads to hybrid systems [11], whose behaviorinvolves both discrete and continuous dynamics originating, e.g., from discrete control decisionsand differential equations of movement. Combining communication and computation leads todistributed systems [1], whose dynamics are discrete transitions of system parts that communicatewith each other. They may form dynamic distributed systems, where the structure of the system isnot fixed but evolves over time and agents may appear or disappear during the system evolution.

(4) (4) (3) (3) (2) (2) (1) (1)

( ) ( )

Figure 1: Distributed car control.

Combinations of all three aspects (communica-tion, computation, and control) are used in sophis-ticated applications, e.g., cooperative distributed carcontrol [13]. Neither structure nor dimension stay thesame, because new cars can appear on the street orleave it; see Fig. 1. These systems are (dynamic) dis-tributed hybrid systems. They cannot be consideredjust as a distributed system (because, e.g., the continuous evolution of positions and velocitiesmatters for collision freedom in car control) nor just as a hybrid system (because the evolvingsystem structure and appearance of new agents can make an otherwise collision-free system un-safe). It is generally impossible to split the analysis of distributed hybrid systems soundly into ananalysis of a distributed system (without continuous movement) and an analysis of a hybrid sys-tem (without structural changes or appearance), because all kinds of dynamics interact. Just likehybrid systems that generally cannot be analyzed from a purely discrete or a purely continuousperspective [11, 17].

Distributed hybrid systems have been considered to varying degrees in modeling languages[6, 21, 15, 16]. In order to build these systems, however, scientists and engineers also need analytictools to understand and predict their behavior. But formal verification and proof techniques donot yet support the required combination of dynamical effects—which is not surprising given thenumerous sources of undecidability for distributed hybrid systems verification.

In this paper, we provide the logical foundations to close this fundamental analytic gap. Wedevelop quantified hybrid programs (QHPs) as a model for distributed hybrid systems, which com-bine dynamical effects from multiple sources: discrete transitions, continuous evolution, dimen-sion changes, and structural dynamics. In order to account for changes in the dimension and forco-evolution of an unbounded and evolving number of participants, we generalize the notion ofstates from assignments for primitive system variables to full first-order structures. Function termx(i) may denote the position of car i of type C, f(i) could be the car registered by communica-

1

tion as the car following car i, and the term d(i, f(i)) could denote the minimum safety distancenegotiated between car i and its follower. The values of all these terms may evolve for all i astime progresses according to interacting laws of discrete and continuous dynamics. They are alsoaffected by changing the system dimension as new cars appear, disappear, or by reconfiguring thesystem structure dynamically. The defining characteristic of QHPs is that they allow quantifiedhybrid dynamics in which variables like i that occur in function arguments of the system dynamicsare quantified over, such that the system co-evolves, e.g., for all cars i of type C.

There is a crucial difference between a primitive system variable x and a first-order functionterm x(i), where i is quantified over. Hybrid dynamics of primitive system variables can model,say, 5 cars (putting scalability issues aside), but not n cars and not systems with a varying numberof cars. With first-order function symbols x(i) and hybrid dynamics quantifying over all cars i, aQHP can represent any number of cars at once and even (dis)appearance of cars.

Verification of distributed hybrid systems is challenging, because they have three independentsources of undecidability: discrete dynamics, continuous dynamics, and structural/dimensionaldynamics. As an analysis tool for distributed hybrid systems, we introduce a specification andverification logic for QHPs that we call quantified differential dynamic logic (QdL). QdL providesdynamic logic [10] modal operators [α] and 〈α〉 that refer to the states reachable by QHP α andcan be placed in front of any formula. Formula [α]φ expresses that all states reachable by system αsatisfy formula φ, while 〈α〉φ expresses that there is at least one reachable state satisfying φ. Thesemodalities can express necessary or possible properties of the transition behavior of α. With itsability to verify (dynamic) distributed hybrid systems and quantified dynamics, QdL is a majorextension of prior work for static hybrid systems [17, 18] or programs [2, 22].

Our primary contributions are:

• We introduce a system model and semantics that succinctly captures the logical quintessenceof (dynamic) distributed hybrid systems with joint discrete, continuous, structural, and alsodimension-changing dynamics.

• We introduce a specification/verification logic for distributed hybrid systems.

• We present a proof calculus for this logic, which, to the best of our knowledge, is the firstverification approach that can handle distributed hybrid systems with their hybrid dynamicsand unbounded (and evolving) dimensions.

• We prove that this compositional calculus is a sound and complete axiomatization relative todifferential equations.

• We have used our proof calculus to verify collision freedom in a distributed car controlsystem, where new cars may appear dynamically on the road.

This work constitutes the logical foundation for analysis of distributed hybrid systems. Sincedistributed hybrid control is the key to control numerous advanced systems, analytic approacheshave significant potential for applications.

Our verification approach for distributed hybrid systems is a fundamental extension comparedto previous approaches. In much the same way as first-order logic increases the expressive power

2

over propositional logic (quantifiers and function symbols are required to express properties ofunbounded structures), QdL increases the expressive power over its predecessors (because first-order functions and quantifiers in the dynamics of QHPs are required to characterize systems withunbounded and changing dimensions).

2 Related WorkMulti-party distributed control has been suggested for car control [13] and air traffic control [7].Due to limits in verification technology, no formal analysis of the distributed hybrid dynamicshas been possible for these systems yet. Analysis results include discrete message handling [13]or collision avoidance for two participants [7]. In distributed car control and air traffic controlsystems, appearance of new participants is a major unsolved challenge for formal verification.

The importance of understanding dynamic / reconfigurable distributed hybrid systems was rec-ognized in modeling languages SHIFT [6] and R-Charon [15]. They focused on simulation /compilation [6] or the development of a semantics [15], so that no verification is possible yet. Forstochastic simulation see [16], where soundness has not been proven, because ensuring coverageis difficult.

For distributed hybrid systems, even giving a formal semantics is very challenging [4, 21, 15,23]! Zhou et al. [4] gave a semantics for a hybrid version of CSP in the Extended Duration Calcu-lus. Rounds [21] gave a semantics in a rich set theory for a spatial logic for a hybrid version of theπ-calculus. In the hybrid π-calculus, processes interact with a continuously changing environment,but cannot themselves evolve continuously, which would be crucial to capture the physical move-ment of traffic agents. From the semantics alone, no verification is possible in these approaches,except perhaps by manual semantic reasoning.

Other process-algebraic approaches, like χ [23], have been developed for modeling and sim-ulation. Verification is still limited to small fragments that can be translated directly to otherverification tools like PHAVer or UPPAAL, which have fixed dimensions and restricted dynamics(no distributed hybrid systems).

Our approach is completely different. It is based on first-order structures and dynamic logic.We focus on developing a logic that supports distributed hybrid dynamics and is amenable toautomated theorem proving in the logic itself.

Our previous work and other verification approaches for static hybrid systems cannot verify dis-tributed hybrid systems. Distributed hybrid systems may have an unbounded and changing numberof components/participants, which cannot be represented with any fixed number of dimensions ofthe state space. In distributed car control, for instance, there is no prior limit on the number of carson the street. Even when there is a limit, explicit replication of the system, say, 100 times, doesnot yield a scalable verification approach.

Approaches for distributed systems [1] do not cover hybrid systems, because the addition ofdifferential equations to distributed systems is even more challenging than the addition of differ-ential equations to discrete dynamics.

3

3 Syntax of QdLAs a formal logic for specifying and verifying correctness properties of distributed hybrid sys-tems, we introduce quantified differential dynamic logic (QdL). QdL combines dynamic logicfor reasoning about system runs [10] with many-sorted first-order logic for reasoning about all(∀i :C φ) or some (∃i :C φ) objects of a sort C, e.g., the sort of all cars. The most importantdefining characteristic of QdL is that its system model of quantified hybrid programs (QHP) sup-ports quantified operations that affect all objects of a sort C at once. If C is the sort of cars,QHP ∀i :C a(i) := a(i) + 1 increases the respective accelerations a(i) of all cars i at once. QHP∀i :C v(i)′ = a(i) represents a continuous evolution of the respective velocities v(i) of all cars atonce according to their acceleration. Quantified assignments and quantified differential equationsystems are crucial for representing distributed hybrid systems where an unbounded number of ob-jects co-evolve simultaneously. Note that we use the same quantifier notation ∀i :C for quantifiedoperations in programs and for logical formulas.

We model the appearance of new participants in the distributed hybrid system, e.g., new carsentering the road, by a program n := newC. It creates a new object of type C, thereby extend-ing the range of subsequent quantified assignments or differential equations ranging over createdobjects of type C. With quantifiers and function terms, new can be handled in a modular way(Section 5).

3.1 Quantified Differential Dynamic LogicSorts QdL supports a (finite) number of object sorts, e.g., the sort of all cars. For continuousquantities of distributed hybrid systems like positions or velocities, we add the sort R for realnumbers. See previous work [2] for subtyping of sorts.

Terms QdL terms are built from a set of (sorted) function/variable symbols as in many-sortedfirst-order logic. Unlike in first-order logic, the interpretation of function symbols can changeby running QHPs. Even objects may appear or disappear while running QHPs. We use functionsymbol

∃

(·) to distinguish between objects i that actually exist and those that have not been createdyet, depending on the value of

∃

(i), which may change its interpretation. We use 0, 1,+,−, · withthe usual notation and fixed semantics for real arithmetic. For n ≥ 0 we abbreviate f(s1, . . . , sn)by f(~s) using vectorial notation and we use ~s = ~t for element-wise equality.

Formulas The formulas of QdL are defined as in first-order dynamic logic plus many-sortedfirst-order logic by the following grammar (φ, ψ are formulas, θ1, θ2 are terms of the same sort, iis a variable of sort C, and α is a QHP):

φ, ψ ::= θ1 = θ2 | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀i :C φ | ∃i :C φ | [α]φ | 〈α〉φ

We use standard abbreviations to define ≤, >,<,∨,→. Sorts C 6= R have no ordering and onlyθ1 = θ2 is allowed. For sort R, we abbreviate ∀x :R φ by ∀xφ. In the following, all formulasand terms have to be well-typed. QdL formula [α]φ expresses that all states reachable by QHP α

4

satisfy formula φ. Likewise, 〈α〉φ expresses that there is at least one state reachable by α forwhich φ holds.

For short notation, we allow conditional terms of the form ifφ then θ1 else θ2 fi (where θ1 andθ2 have the same sort). This term evaluates to θ1 if the formula φ is true and to θ2 otherwise.We consider formulas with conditional terms as abbreviations, e.g., ψ(ifφ then θ1 else θ2 fi) for(φ→ ψ(θ1)) ∧ (¬φ→ ψ(θ2)).

Example A major challenge in distributed car control systems [13] is that they do not followfixed, static setups. Instead, new situations can arise dynamically that change structure and dimen-sion of the system whenever new cars appear on the road from on-ramps or leave it; see Fig. 1.As a running example, we model a distributed car control system DCCS. First, we consider QdLproperties.

If i is a term of type C (for cars), let x(i) denote the position of car i, v(i) its current velocity,and a(i) its current acceleration. A state is collision-free if all cars are at different positions, i.e.,∀i6=j :C x(i) 6=x(j). The following QdL formula expresses that the system DCCS controls carscollision-free:

(∀i, j :CM(i, j)) → [DCCS] ∀i 6=j :C x(i)6=x(j) (1)

It says that DCCS controlled cars are always in a collision-free state (postcondition), providedthat DCCS starts in a state satisfying M(i, j) for all cars i, j (precondition). Formula M(i, j)characterizes a simple compatibility condition: for different cars i 6= j, the car that is further downthe road (i.e., with greater position) neither moves slower nor accelerates slower than the other car,i.e.:

M(i, j) ≡ i 6= j →((x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j))

∨ (x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j)))

(2)

3.2 Quantified Hybrid ProgramsAs a system model for distributed hybrid systems, we introduce quantified hybrid programs (QHP).These are regular programs from dynamic logic [10] to which we add quantified assignments andquantified differential equation systems for distributed hybrid dynamics. From these, QHPs arebuilt like a Kleene algebra with tests [14]. QHPs are defined by the following grammar (α, β areQHPs, θ a term, i a variable of sort C, f is a function symbol, ~s is a vector of terms with sortscompatible to f , and χ is a formula of first-order logic):

α, β ::= ∀i :C f(~s) := θ | ∀i :C f(~s)′ = θ&χ | ?χ | α ∪ β | α; β | α∗

Quantified State Change The effect of quantified assignment ∀i :C f(~s) := θ is an instanta-neous discrete jump assigning θ to f(~s) simultaneously for all objects i of sort C. The effect ofquantified differential equation ∀i :C f(~s)′ = θ&χ is a continuous evolution where, for all objectsi of sort C, all differential equations f(~s)′ = θ hold and formula χ holds throughout the evolution(the state remains in the region described by χ). The dynamics of QHPs changes the interpretation

5

of terms over time: f(~s)′ is intended to denote the derivative of the interpretation of the term f(~s)over time during continuous evolution, not the derivative of f(~s) by its argument ~s. For f(~s)′ to bedefined, we assume f is an R-valued function symbol. For simplicity, we assume that f does notoccur in ~s. In most quantified assignments/differential equations ~s is just i. Time itself is implicit.If a clock variable t is needed in a QHP, it can be axiomatized by t′ = 1, which is equivalent to∀i :C t′ = 1 where i does not occur in t. For such vacuous quantification (i does not occur any-where), we may omit ∀i :C from assignments and differential equations. Similarly, we may omitvectors ~s of length 0.

Regular Programs The effect of test ?χ is a skip (i.e., no change) if formula χ is true in the cur-rent state and abort (blocking the system run by a failed assertion), otherwise. Nondeterministicchoice α ∪ β is for alternatives in the behavior of the distributed hybrid system. In the sequen-tial composition α; β, QHP β starts after α finishes (β never starts if α continues indefinitely).Nondeterministic repetition α∗ repeats α an arbitrary number of times, possibly zero times.

QHPs (with their semantics and our proof rules) can be extended to systems of quantified differ-ential equations, simultaneous assignments to multiple functions f, g, or statements with multiplequantifiers (∀i :C ∀j :D . . . ). To simplify notation, we do not focus on these cases, which arevectorial extensions [17, 2].

Example Continuous movement of position x(i) of car i with acceleration a(i) is expressed bydifferential equation x(i)′′ = a(i), which corresponds to the first-order differential equation systemx(i)′ = v(i), v(i)′ = a(i) with velocity v(i). Simultaneous movement of all cars with their respec-tive accelerations a(i) is expressed by the QHP ∀i :C (x(i)′′ = a(i)) where quantifier ∀i :C rangesover all cars, such that all cars co-evolve at the same time.

In addition to continuous dynamics, cars have discrete control. In the following QHP, discreteand continuous dynamics interact (repeatedly by the ∗):(∀i :C (a(i) := if∀j :C far(i, j) then a else −b fi); ∀i :C (x(i)′′ = a(i))

)∗ (3)

First, all cars i control their acceleration a(i). Each car i chooses maximum acceleration a ≥ 0for a(i) if its distance to all other cars j is far enough (some condition far(i, j)). Otherwise, ichooses full braking −b < 0. After all accelerations have been set, all cars move continuouslyalong ∀i :C (x(i)′′ = a(i)). Accelerations may change repeatedly, because the repetition operator∗ can repeat the QHP when the continuous evolution stops at any time.

4 Semantics of QdLThe QdL semantics is a constant domain Kripke semantics [9] with first-order structures as statesthat associate total functions of appropriate type with function symbols. In constant domain, allstates share the same domain for quantifiers. In particular, we choose to represent object creationnot by changing the domain of states, but by changing the interpretation of the createdness flag∃

(i) of the object denoted by i. With

∃

(i), object creation is definable (Section 5).

6

States A state σ associates an infinite set σ(C) of objects with each sort C, and it associatesa function σ(f) of appropriate type with each function symbol f , including

∃

(·). For simplicity,σ also associates a value σ(i) of appropriate type with each variable i. The domain of R andthe interpretation of 0, 1,+,−, · is that of real arithmetic. We assume constant domain for eachsort C: all states σ, τ share the same infinite domains σ(C) = τ(C). Sorts C 6= D are disjoint:σ(C) ∩ σ(D) = ∅. The set of all states is denoted by S. The state σei agrees with σ except for theinterpretation of variable i, which is changed to e.

Formulas We use σ[[θ]] to denote the value of term θ at state σ. Especially, σei [[θ]] denotes thevalue of θ in state σei , i.e., in state σ with i interpreted as e. Further, ρ(α) denotes the state transitionrelation of QHP α as defined below. The interpretation σ |= φ of QdL formula φ with respect tostate σ is defined as:

1. σ |= (θ1 = θ2) iff σ[[θ1]] = σ[[θ2]]; accordingly for ≥.

2. σ |= φ ∧ ψ iff σ |= φ and σ |= ψ; accordingly for ¬.

3. σ |= ∀i :C φ iff σei |= φ for all objects e ∈ σ(C).

4. σ |= ∃i :C φ iff σei |= φ for some object e ∈ σ(C).

5. σ |= [α]φ iff τ |= φ for all states τ with (σ, τ) ∈ ρ(α).

6. σ |= 〈α〉φ iff τ |= φ for some τ with (σ, τ) ∈ ρ(α).

Programs The transition relation, ρ(α) ⊆ S × S, of QHP α specifies which state τ ∈ S isreachable from σ ∈ S by running QHP α. It is defined inductively:

1. (σ, τ) ∈ ρ(∀i :C f(~s) := θ) iff state τ is identical to σ except that at each position ~o of f : ifσei [[~s]] = ~o for some object e ∈ σ(C), then τ(f)

(σei [[~s]]

)= σei [[θ]]. If there are multiple objects

e giving the same position σei [[~s]] = ~o, then all of the resulting states τ are reachable.

2. (σ, τ) ∈ ρ(∀i :C f(~s)′ = θ&χ) iff, there is a function ϕ:[0, r]→ S for some r ≥ 0 withϕ(0) = σ and ϕ(r) = τ satisfying the following conditions. At each time t ∈ [0, r], stateϕ(t) is identical to σ, except that at each position ~o of f : if σei [[~s]] = ~o for some objecte ∈ σ(C), then, at each time ζ ∈ [0, r]:

• The differential equations hold and derivatives exist (trivial for r = 0):

d (ϕ(t)ei [[f(~s)]])

dt(ζ) = (ϕ(ζ)ei [[θ]])

• The evolution domain is respected: ϕ(ζ)ei |= χ.

If there are multiple objects e giving the same position σei [[~s]] = ~o, then all of the resultingstates τ are reachable.

7

3. ρ(?χ) = {(σ, σ) : σ |= χ}

4. ρ(α ∪ β) = ρ(α) ∪ ρ(β)

5. ρ(α; β) = {(σ, τ) : (σ, z) ∈ ρ(α) and (z, τ) ∈ ρ(β) for a state z}

6. (σ, τ) ∈ ρ(α∗) iff there is an n ∈ N with n ≥ 0 and there are states σ = σ0, . . . , σn = τ suchthat (σi, σi+1) ∈ ρ(α) for all 0 ≤ i < n.

The semantics is explicit change: nothing changes unless an assignment or differential equationspecifies how. In cases 1–2, only f changes and only at positions of the form σei [[~s]] for someinterpretation e ∈ σ(C) of i. If there are multiple such e that affect the same position ~o, any of thosechanges can take effect by a nondeterministic choice. QHP ∀i :C x := a(i) may change x to anya(i). Hence, [∀i :C x := a(i)]φ(x) ≡ ∀i :C φ(a(i)) and 〈∀i :C x := a(i)〉φ(x) ≡ ∃i :C φ(a(i)).Similarly, x can evolve along ∀i :C x′ = a(i) with any of the slopes a(i). But evolutions cannotstart with slope a(c) and then switch to a different slope a(d) later. Any choice for i is possible buti remains unchanged during each evolution.

We call a quantified assignment ∀i :C f(~s) := θ or a quantified differential equation of theform ∀i :C f(~s)′ = θ&χ injective iff there is at most one e satisfying cases 1–2. We call quanti-fied assignments and quantified differential equations schematic iff ~s is i (thus injective) and theonly arguments to function symbols in θ are i. Schematic quantified differential equations like∀i :C f(i)′ = a(i) &χ are very common, because distributed hybrid systems often have a familyof similar differential equations replicated for multiple participants i. Their synchronization typ-ically comes from discrete communication on top of their continuous dynamics, less often fromcomplicated, physically coupled differential equations.

5 Actual Existence and Object CreationActual Existence For the QdL semantics, we chose constant domain semantics, i.e., all statesshare the same domains. Thus quantifiers range over all possible objects (possibilist quantification)not just over active existing objects (actualist quantification in varying domains) [9]. In order todistinguish between actual objects that exist in a state, because they have already been createdand can now actively take part in its evolution, versus possible objects that still passively awaitcreation, we use function symbol

∃

(·). Symbol

∃

(·) is similar to existence predicates in first-ordermodal logic [9], but its value can be assigned to in QHPs.

Object Creation For term i of type C 6= R,

∃

(i) = 1 represents that the object denoted by i hasbeen created and actually exists. We use

∃

(i) = 0 to represent that i has not been created. Objectcreation amounts to changing the interpretation of

∃

(i). For an object denoted by i that has not beencreated (

∃

(i) = 0), object creation corresponds to the state change caused by assignment

∃

(i) := 1.With quantified assignments and function symbols, object creation is definable:

n := newC ≡ (∀j :C n := j); ?(

∃

(n) = 0);

∃

(n) := 1

8

It assigns an arbitrary j of type C to n that did not exist before (

∃

(n) = 0) and adjusts existence(

∃

(n) := 1). Disappearance of object i corresponds to

∃

(i) := 0. Our choice avoids semanticsubtleties of varying domains about the meaning of free variables denoting non-existent objectsas in free logics [9]. Denotation is standard. Terms may just denote objects that have not beenactivated yet. This is useful to initialize new objects (e.g., x(n) := 8) before activation (

∃

(n) := 1).

Actualist Quantifiers We define abbreviations for actualist quantifiers in formulas / quantifiedassignments / quantified differential equations that range only over previously created objects,similar to relativization in modal logic [9]:

∀i :C! φ ≡ ∀i :C (

∃

(i) = 1→ φ)

∃i :C! φ ≡ ∃i :C (

∃

(i) = 1 ∧ φ)

∀i :C! f(~s) := θ ≡ ∀i :C f(~s) := (if

∃

(i) = 1 then θ else f(~s) fi)

∀i :C! f(~s)′ = θ ≡ ∀i :C f(~s)′ = (if

∃

(i) = 1 then θ else 0 fi) ≡ ∀i :C f(~s)′ =

∃

(i)θ

The last 2 cases define quantified state change for actually existing objects using conditional termsthat choose effect θ if

∃

(i) = 1 and choose no effect (retaining the old value f(~s) or evolving withslope 0) if

∃

(i) = 0. NotationC! signifies that the quantifier domain is restricted to actually existingobjects of type C.

We generally assume that QHPs involve only quantified assignments / differential equationsthat are restricted to created objects, because real systems only affect objects that are physicallypresent, not those that will be created later. We still treat actualist quantification over C! as adefined notion, in order to simplify the semantics and proof calculus by separating object creationfrom quantified state change rules in a modular way. If only finitely many objects have beencreated in the initial state (say 0), then it is easy to see that only finitely many new objects will becreated with finitely many such QHP transitions, because each quantified state change for C! onlyranges over a finite domain then. We thus assume

∃

(·) to have (unbounded but) finite support, i.e.,each state only has a finite number of positions i at which

∃

(i) = 1. This makes sense in practice,because there is a varying but still finite numbers of participants (e.g., cars).

Example In order to restrict the dynamics and properties in the car control examples of Section 3to created and physically present cars, we simply replace each occurrence of ∀i :C with ∀i :C! . Achallenging feature of distributed car control, however, is that new cars may appear dynamicallyfrom on-ramps (Fig. 1) changing the set of active objects. To model this, we consider the followingQHP:

DCCS ≡ (n := newC; (?∀i :C!M(i, n)); ∀i :C! (x(i)′′ = a(i)))∗ (4)

It creates a new car n at an arbitrary position x(n) satisfying compatibility conditionM(i, n) withrespect to all other created cars i. Hence DCCS allows new cars to appear, but not drop right outof the sky in front of a fast car or run at Mach 8 only 10ft away. When cars appear into the horizonfrom on-ramps, this condition captures that a car is only allowed to join the lane (“appear” into themodel world) if it cannot cause a crash with other existing cars (Fig. 1). Unboundedly many cars

9

may appear during the operation of DCCS and change the system dimension arbitrarily, becauseof the repetition operator ∗.

DCCS is simple but shows how properties of distributed hybrid systems can be expressed inQdL. Structural dynamics corresponds to assignments to function terms. Say, f(i) is the carregistered by communication as the car following car i. Then a term d(i, f(i)), which denotes theminimum safety distance negotiated between car i and its follower, is a crucial part of the systemdynamics. Restructuring the system in response to lane change corresponds to assigning a newvalue to f(i), which impacts the value of d(i, f(i)) in the system dynamics.

6 Proof CalculusIn Fig. 2, we present a proof calculus for QdL formulas. We use the sequent notation informallyfor a systematic proof structure. With finite sets of formulas for the antecedent Γ and succedent ∆,sequent Γ→∆ is an abbreviation for the formula

∧φ∈Γ φ →

∨ψ∈∆ ψ. The calculus uses standard

proof rules for propositional logic with cut rule (not shown). The proof rules are used backwardsfrom the conclusion (goal below horizontal bar) to the premisses (subgoals above bar).

In the calculus, we use substitutions that take effect within formulas and programs (defined asusual). Only admissible substitutions are applicable, which is crucial for soundness. An appli-cation of a substitution σ is admissible if no replaced term θ occurs in the scope of a quantifieror modality binding a symbol in θ or in its replacement σθ. A modality binds a symbol f iff itcontains an assignment to f (like ∀i :C f(~s) := θ) or a differential equation containing a f(~s)′

(like ∀i :C f(~s)′ = θ). The substitutions in Fig. 2 that insert a term θ into φ(θ) also have to beadmissible for the proof rules to be applicable.

Regular Rules The next proof rules axiomatize sequential composition ([;],〈;〉), nondeterministicchoice ([∪],〈∪〉), and test ([?],〈?〉) of regular programs as in dynamic logic [10]. Like other rulesin Fig. 2, these rules do not contain sequent symbol→, i.e., they can be applied to any subformula.These rules represent (directed) equivalences: conclusion and premiss are equivalent.

Quantified Differential Equations Rules [′],〈′〉 handle continuous evolutions for quantified dif-ferential equations with first-order definable solutions. Given a solution for the quantified differ-ential equation system with symbolic initial values f(~s), continuous evolution along differentialequations can be replaced with a quantified assignment ∀i :C S(t) corresponding to the solution(footnote 1 in Fig. 2), and an additional quantifier for evolution time t. In [′], postcondition φ needsto hold for all evolution durations t. In 〈′〉, it needs to hold after some duration t. The constrainton χ restricts the continuous evolution to remain in the evolution domain region χ at all interme-diate times t ≤ t.

For schematic cases like ∀i :C f(i)′ = a(i), first-order definable solutions can be obtained byadding argument i to first-order definable solutions of the deparametrized version f ′ = a. We onlypresent proof rules for first-order definable solutions of quantified differential equations here. See[18] for other proof rules.

10

([;])[α][β]φ

[α; β]φ

(〈;〉)〈α〉〈β〉φ〈α; β〉φ

([∪])[α]φ ∧ [β]φ

[α ∪ β]φ

(〈∪〉)〈α〉φ ∨ 〈β〉φ〈α ∪ β〉φ

([?])χ→ ψ

[?χ]ψ

(〈?〉)χ ∧ ψ〈?χ〉ψ

([′])∀t≥0

((∀0≤t≤t [∀i :C S(t)]χ)→ [∀i :C S(t)]φ

)[∀i :C f(~s)′ = θ&χ]φ

1

(〈′〉)∃t≥0

((∀0≤t≤t 〈∀i :C S(t)〉χ) ∧ 〈∀i :C S(t)〉φ

)〈∀i :C f(~s)′ = θ&χ〉φ

1

([:=])if∃i :C ~s = [A]~u then∀i :C (~s = [A]~u→ φ(θ)) elseφ(f([A]~u)) fi

φ([∀i :C f(~s) := θ]f(~u))2

(〈:=〉)if∃i :C ~s = 〈A〉~u then∃i :C (~s = 〈A〉~u ∧ φ(θ)) elseφ(f(〈A〉~u)) fi

φ(〈∀i :C f(~s) := θ〉f(~u))2

(skip)Υ([∀i :C f(~s) := θ]~u)

[∀i :C f(~s) := θ]Υ(~u)3

(ex)true

∃n :C

∃

(n) = 0

([:∗])∀j :C φ(θ)

[∀j :C n := θ]φ(n)(〈:∗〉)

∃j :C φ(θ)

〈∀j :C n := θ〉φ(n)

(∃r)Γ→φ(θ),∃xφ(x),∆

Γ→∃xφ(x),∆4

(∀l)Γ, φ(θ),∀xφ(x)→∆

Γ,∀xφ(x)→∆4

(∀r)Γ→φ(f(X1, . . , Xn)),∆

Γ→∀xφ(x),∆5

(∃l)Γ, φ(f(X1, . . , Xn))→∆

Γ,∃xφ(x)→∆5

(i∀)QE(∀X, Y (if~s = ~t then Φ(X)→Ψ(X) else Φ(X)→Ψ(Y ) fi))

Φ(f(~s))→Ψ(f(~t))6

(i∃)QE(∃X

∧i(Φi→Ψi))

Φ1→Ψ1 . . . Φn→Ψn

7

([]gen)φ→ψ

Γ, [α]φ→[α]ψ,∆(〈〉gen)

φ→ψΓ, 〈α〉φ→〈α〉ψ,∆

(ind)φ→[α]φ

Γ, φ→[α∗]φ,∆

(con)v > 0 ∧ ϕ(v)→ 〈α〉ϕ(v − 1)

Γ,∃v ϕ(v)→〈α∗〉∃v≤0ϕ(v),∆8

1t, t are new variables, ∀i :C S(t) is the quantified assignment ∀i :C f(~s) := y~s(t) with solutions y~s(t) of the(injective) differential equations and f(~s) as initial values.

2Occurrence f(~u) in φ(f(~u)) is not in scope of a modality (admissible substitution) and we abbreviate assignment∀i :C f(~s) := θ by A, which is assumed to be injective.

3f 6= Υ and the quantified assignment ∀i :C f(~s) := θ is injective. The same rule applies for 〈∀i :C f(~s) := θ〉instead of [∀i :C f(~s) := θ].

4θ is an arbitrary term, often a new logical variable.5f is a new (Skolem) function and X1, . . , Xn are all free logical variables of ∀xφ(x).6X,Y are new variables of sort R. QE needs to be applicable in the premiss.7Among all open branches, the free (existential) logical variable X of sort R only occurs in the branches Φi→Ψi.

QE needs to be defined for the formula in the premiss, especially, no Skolem dependencies on X occur.8logical variable v does not occur in α.

Figure 2: Rule schemata of the proof calculus for quantified differential dynamic logic.

11

Quantified Assignments Rules [:=],〈:=〉 handle quantified assignments (both are equivalent forthe injective case, i.e., a match for at most one i). Their effect depends on whether the quantifiedassignment ∀i :C f(~s) := θ matches f(~u), i.e., there is a choice for i such that f(~u) is affected bythe assignment, because ~u is of the form ~s for some i. If it matches, the premiss uses the term θassigned to f(~s) instead of f(~u), either for all possible i :C that match f(~u) in case of [:=], orfor some of those i :C in case of 〈:=〉. Otherwise, the occurrence of f in φ(f(~u)) will be leftunchanged. Rules [:=],〈:=〉 make a case distinction on matching by if-then-else. In all cases,the original quantified assignment ∀i :C f(~s) := θ, which we abbreviate by A, will be appliedto ~u in the premiss, because the value of argument ~u may also be affected by A, recursively.Rule skip characterizes that quantified assignments to f have no effect on all other operatorsΥ 6= f (including other function symbols, ∧, if then else fi), so that only argument ~u is affectedby prefixing A but Υ remains unchanged.

Rules [:=],〈:=〉,skip also apply for assignments without quantifiers, which correspond to vacu-ous quantification ∀i :C where i does not occur anywhere. Rules [:∗],〈:∗〉 reduce nondeterministicassignments to universal or existential quantification. For nondeterministic differential equations,see [18].

Object Creation Given our definition of newC as a QHP from Section 5, object creation can beproven by the other proof rules in Fig. 2. In addition, axiom ex expresses that, for sortC 6= R, therealways is a new object n that has not been created yet (

∃

(n) = 0), because domains are infinite.

Quantifiers For quantifiers, we cannot just use standard rules [8], because these are for uninter-preted first-order logic and work by instantiating quantifiers, eagerly as in ground tableaux or lazilyby unification as in free variable tableaux [8]. QdL is based on first-order logic interpreted overthe reals [5]. A formula like ∃a :R ∀x :R (x2 + a > 0) cannot be proven by instantiating quanti-fiers but is still valid for reals. Unfortunately, the decision procedure for real arithmetic, quantifierelimination (QE) in the theory of real-closed fields [5], cannot be applied to formulas with modal-ities either, because these are quantified reachability statements. Even in discrete dynamic logic,quantifiers plus modalities make validity Π1

1-complete [10]. Also QE cannot handle sorts C 6= R.Instead, our QdL proof rules combine quantifier handling of many-sorted logic based on instan-

tiation with theory reasoning by QE for the theory of reals. Figure 2 shows rules for quantifiersthat combine with decision procedures for real-closed fields. Classical instantiation is sound forsort R, just incomplete.

Rules ∃r and ∀l instantiate with arbitrary terms θ, including a new free variableX , where ∃r and∀l become the usual γ-rules [8, 9]. Rules ∀r and ∃l correspond to the δ-rule [8]. As in our previouswork [17], rules i∀ and i∃ reintroduce and eliminate quantifiers over R once QE is applicable,as the remaining constraints are first-order in the respective variables. Unlike in previous work,however, functions and different argument vectors can occur in QdL. If the argument vectors~s and ~t in i∀ have the same value, the same variable X can be reintroduced for f(~s) and f(~t),otherwise different variablesX 6= Y have to be used. Rule i∃merges all proof branches containing(existential) variable X , because X has to satisfy all branches simultaneously. It thus has multipleconclusions. See [17] for merging and for lifting QE to the presence of function symbols, including

12

formulas that result from the base theory by substitution.

Global Rules The rules in the last block depend on the truth of their premisses in all statesreachable by α, thus the context Γ,∆ cannot be used in the premiss. Rules []gen,〈〉gen are Godelgeneralization rules and ind is an induction schema for loops with inductive invariant φ [10]. Sim-ilarly, con generalizes Harel’s convergence rule [10] to the hybrid case with decreasing variant ϕ[17].

7 Soundness and CompletenessThe verification problem for distributed hybrid systems has three independent sources of unde-cidability. Thus, no verification technique can be effective. Hence, QdL cannot be effectivelyaxiomatizable. Both its discrete and its continuous fragments alone are subject to Godel’s incom-pleteness theorem [17]. The fragment with only structural and dimension-changing dynamics isnot effective either, because it can encode two-counter machines. The standard way to show ad-equacy of proof calculi for problems that are not effective is to prove completeness relative to anoracle for handling a fragment of the logic. Unlike in Cook/Harel relative completeness for dis-crete programs [10], however, QdL cannot be complete relative to the fragment of the data logic(R), because real arithmetic is decidable. Instead, we prove that our QdL calculus is a completeaxiomatization relative to an oracle for the fragment of QdL that has only quantified differentialequations in modalities. We replace rules [′],〈′〉 with an oracle and show that the QdL calculuswould be complete if only we had complete replacements for [′],〈′〉. The calculus completely liftsany approximation of this oracle to the full QdL!

Theorem 1 (Axiomatization) The calculus in Fig. 2 is a sound and complete axiomatization ofQdL relative to quantified differential equations; see [20].

This shows that properties of distributed hybrid systems can be proven to exactly the same extentto which properties of quantified differential equations can be proven. Proof-theoretically, the QdLcalculus completely lifts verification techniques for quantified continuous dynamics to distributedhybrid dynamics.

8 Distributed Car Control VerificationWith the QdL calculus and the compatibility conditionM(i, j) from eqn. (2), we can easily provecollision freedom in the distributed car control system (4):

(∀i, j :C!M(i, j))→[(n := newC; ?∀i :C!M(i, n);∀i :C! (x(i)′′ = a(i)))

∗] ∀i 6=j :C! x(i)6=x(j) (5)

See [20] for a formal QdL proof of this QdL formula, which proves collision freedom despitedynamic appearance of new cars, following the pattern of (1).

13

In a similar way, we can prove collision freedom in an advanced distributed car control systemthat has both dynamic appearance of cars on the road and more flexibility in acceleration andbraking choices of the individual cars:

∀i, j :C!M(i, j)→[(n := newC; ?∀i :C!M(i, n);

∀i :C! a(i) := if∀j :C far(i, j) then a else −b fi;

τ := 0; ∀i :C! (x(i)′ = v(i), v(i)′ = a(i), τ ′ = 1 & v(i) ≥ 0 ∧ τ ≤ ε))∗]∀i 6=j :C! x(i) 6=x(j) (6)

The QHP in this QdL formula allows all cars to change their respective acceleration freely whenall other cars are sufficiently far away; see (3). We choose a condition characterizing that the dis-tributed car control system stays controllable at least ε time units (which is the maximum reactiontime of the controller):

far(i, j) ≡ x(j) > x(i)→ x(j) > x(i) +v(i)2 − v(j)2

2b+(ab

+ 1)(a

2ε2 + εv(i)

)Similarly, we choose a refined version of compatibility conditionM(i, j) that allows varying ve-locities v(i) for the cars whenever appropriate safety distances are respected such that the cars canstill brake safely at a later point:

i 6= j →((x(i) < x(j) ∧ v(i)2 < v(j)2 + 2b(x(j)− x(i)) ∧ v(i) ≥ 0 ∧ v(j) ≥ 0)

∨ (x(i) > x(j) ∧ v(j)2 < v(i)2 + 2b(x(i)− x(j)) ∧ v(i) ≥ 0 ∧ v(j) ≥ 0))

See [20] for a formal QdL proof of QdL formula (6).

9 ConclusionsWe have introduced a system model and semantics for dynamic distributed hybrid systems togetherwith a compositional verification logic and proof calculus. We believe this is the first formalverification approach for distributed hybrid dynamics, where structure and dimension of the systemcan evolve jointly with the discrete and continuous dynamics. We have proven our calculus to bea sound and complete axiomatization relative to quantified differential equations. Our calculusproves collision avoidance in distributed car control with dynamic appearance of new cars on theroad, which is out of scope for other approaches.

Future work includes modular concurrency in distributed hybrid systems, which is alreadychallenging in discrete programs.Acknowledgments I want to thank Frank Pfenning for his helpful comments.

14

References[1] Paul C. Attie and Nancy A. Lynch. Dynamic input/output automata: A formal model for dy-

namic systems. In Kim Guldstrand Larsen and Mogens Nielsen, editors, CONCUR, volume2154 of LNCS, pages 137–151. Springer, 2001.

[2] Bernhard Beckert and Andre Platzer. Dynamic logic with non-rigid functions: A basis forobject-oriented program verification. In Ulrich Furbach and Natarajan Shankar, editors, IJ-CAR, volume 4130 of LNCS, pages 266–280. Springer, 2006.

[3] V. I. Bogachev. Deterministic and stochastic differential equations in infinite-dimensionalspaces. Acta Appl. Math., 40(1):25–93, Jul 1995.

[4] Zhou Chaochen, Wang Ji, and Anders P. Ravn. A formal description of hybrid systems. InRajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag, editors, Hybrid Systems, volume1066 of LNCS, pages 511–530. Springer, 1995.

[5] George E. Collins and Hoon Hong. Partial cylindrical algebraic decomposition for quantifierelimination. J. Symb. Comput., 12(3):299–328, 1991.

[6] Akash Deshpande, Aleks Gollu, and Pravin Varaiya. SHIFT: A formalism and a program-ming language for dynamic networks of hybrid automata. In Hybrid Systems, volume 1273of LNCS, pages 113–133. Springer, 1996.

[7] Gilles Dowek, Cesar Munoz, and Vıctor A. Carreno. Provably safe coordinated strategy fordistributed conflict resolution. In AIAA Proceedings, AIAA-2005-6047, 2005.

[8] Melvin Fitting. First-Order Logic and Automated Theorem Proving. Springer, 1996.

[9] Melvin Fitting and Richard L. Mendelsohn. First-Order Modal Logic. Kluwer, 1999.

[10] David Harel, Dexter Kozen, and Jerzy Tiuryn. Dynamic logic. MIT Press, Cambridge, 2000.

[11] Thomas A. Henzinger. The theory of hybrid automata. In LICS, pages 278–292. IEEE, 1996.

[12] Joao P. Hespanha and Ashish Tiwari, editors. HSCC, volume 3927 of LNCS. Springer, 2006.

[13] Ann Hsu, Farokh Eskafi, Sonia Sachs, and Pravin Varaiya. Design of platoon maneuverprotocols for IVHS. PATH Research Report UCB-ITS-PRR-91-6, UC Berkeley, 1991.

[14] Dexter Kozen. Kleene algebra with tests. ACM TOPLAS, 19(3):427–443, 1997.

[15] Fabian Kratz, Oleg Sokolsky, George J. Pappas, and Insup Lee. R-Charon, a modeling lan-guage for reconfigurable hybrid systems. In Hespanha and Tiwari [12], pages 392–406.

[16] Jose Meseguer and Raman Sharykin. Specification and analysis of distributed object-basedstochastic hybrid systems. In Hespanha and Tiwari [12], pages 460–475.

15

[17] Andre Platzer. Differential dynamic logic for hybrid systems. J Autom Reas, 41(2):143–189,2008.

[18] Andre Platzer. Differential-algebraic dynamic logic for differential-algebraic programs. J.Log. Comput., 20(1):309–352, 2010. DOI 10.1093/logcom/exn070.

[19] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynam-ics. Springer, Heidelberg, 2010. To appear.

[20] Andre Platzer. Quantified differential dynamic logic for distributed hybrid systems. TechnicalReport CMU-CS-10-126, SCS, Carnegie Mellon University, 2010.

[21] William C. Rounds. A spatial logic for the hybrid π-calculus. In Rajeev Alur and George J.Pappas, editors, HSCC, volume 2993 of LNCS, pages 508–522. Springer, 2004.

[22] Philipp Rummer. Sequential, parallel, and quantified updates of first-order structures. InMiki Hermann and Andrei Voronkov, editors, LPAR, volume 4246 of LNCS, pages 422–436.Springer, 2006.

[23] D. A. van Beek, Ka L. Man, Michel A. Reniers, J. E. Rooda, and Ramon R. H. Schiffelers.Syntax and consistent equation semantics of hybrid Chi. J. Log. Algebr. Program., 68(1-2):129–210, 2006.

[24] Wolfgang Walter. Ordinary Differential Equations. Springer, 1998.

16

A Proofs for Distributed Car Control

In this section we prove collision freedom of the simple and the advanced distributed car control systemfrom Section 8. First we introduce derived proof rules to obtain shorter derivations. For short notation,we abbreviate

∃

(i) = 1 by the predicate

∃

(i), and abbreviate

∃

(i) = 0 by ¬

∃

(i). Likewise, we write∃

(i) := 1 as

∃

(i) :=> where > is the formula “true”.

A.1 Derived Proof Rules

Figure 3 shows derived rules for concise reasoning in common cases. Rule new axiomatizes object cre-ation as a simple consequence of the definition of newC (Section 5). It chooses any n that did not existbefore (¬

∃

(n)) and adjusts existence (

∃

(n) :=>). Object creation gets propagated to actualist quanti-fiers ∀i :C! ,∃i :C! ranging over all created objects, or quantified assignments / differential equationsfor all created objects by ν∀,ν∃,νA.

Derived rules ν∀,ν∃,νA characterize the effect of creating objects of type C on actualist quantifiersover type C! (for ν∀,ν∃) or on actualist quantified assignments over C! (νA). They commute objectcreation with quantification, retaining the effect on the new object explicitly. Rule ν∀ states that the newobject denoted by n—which may not have been created before—needs to satisfy φ(n) too in order for∀i :C! φ(i) to hold after

∃

(n) :=> ensures n is created. Dually, ν∃ states that created object n is analternative choice for i, in addition to the previous domain of C!.

Similarly, rule νA states that, after creating an object of type C, this created object will be affectedby actualist quantified assignments ranging over C!, so that commuting has to take care of the effect onthe new object explicitly. For this common situation where n is adjoined to the range of quantification(n might even have been in the range before, so the union is not always disjoint), we use the followingmnemonic abbreviation in the premiss of νA:

∀i :C!∪{n} f(~s) := θ

≡ ∀i :C f(~s) := if i = n ∨

∃

(i) then θ else f(~s) fi

(ν∀)〈[

∃

(n) :=>]〉φ(n) ∧ ∀i :C! 〈[

∃

(n) :=>]〉φ(i)

〈[

∃

(n) :=>]〉∀i :C! φ(i)1

(ν∃)〈[

∃

(n) :=>]〉φ(n) ∨ ∃i :C! 〈[

∃

(n) :=>]〉φ(i)

〈[

∃

(n) :=>]〉∃i :C! φ(i)1

(νA)〈[∀i :C!∪{n} f(~s) := θ]〉〈[

∃

(n) :=>]〉φ〈[

∃

(n) :=>]〉〈[∀i :C! f(~s) := θ]〉φ1

(new)∀n :C (¬

∃

(n)→ 〈[

∃

(n) :=>]〉φ)

〈[n := newC]〉φ

1n is of type C

Figure 3: Derived proof rules for object creation in quantified differential dynamic logic.

Proposition 1 The proof rules in Fig. 3 are derived rules.

17

Proof: In order to prove Proposition 1, we show that the respective proof rules in Fig. 3 can be derivedfrom the proof rules in Fig. 2 with standard propositional and first-order reasoning. Rule ν∀ is a derivedrule:

〈[

∃

(n) :=>]〉φ(n) ∧ ∀i :C! 〈[

∃

(n) :=>]〉φ(i)〈[

∃

(n) :=>]〉φ(n) ∧ ∀i :C (

∃

(i)→ 〈[

∃

(n) :=>]〉φ(i))∀i :C

((i = n → 〈[

∃

(n) :=>]〉φ(i)) ∧ (i 6= n → (

∃

(i)→ 〈[

∃

(n) :=>]〉φ(i))))

∀i :C (if i = n then> else

∃

(i) fi→ 〈[

∃

(n) :=>]〉φ(i))[:=],〈:=〉 ∀i :C (〈[

∃

(n) :=>]〉

∃

(i)→ 〈[

∃

(n) :=>]〉φ(i))skip,skip 〈[

∃

(n) :=>]〉∀i :C (

∃

(i)→ φ(i))〈[

∃

(n) :=>]〉∀i :C! φ(i)

This proof uses simple boolean reasoning (formally: cut) to substitute in i = n in the left conjunct andremove i 6= n on the right conjunct (i = n can be covered in both conjuncts).

Rule ν∃ is a derived rule with a similar proof:

〈[

∃

(n) :=>]〉φ(n) ∨ ∃i :C! 〈[

∃

(n) :=>]〉φ(i)〈[

∃

(n) :=>]〉φ(n) ∨ ∃i :C (

∃

(i) ∧ 〈[

∃

(n) :=>]〉φ(i))∃i :C

((i = n ∧ 〈[

∃

(n) :=>]〉φ(i)) ∨ (i 6= n ∧

∃

(i) ∧ 〈[

∃

(n) :=>]〉φ(i)))

∃i :C((i = n → 〈[

∃

(n) :=>]〉φ(i)) ∧ (i 6= n →

∃

(i) ∧ 〈[

∃

(n) :=>]〉φ(i)))

∃i :C (if i = n then> else

∃

(i) fi ∧ 〈[

∃

(n) :=>]〉φ(i))[:=],〈:=〉 ∃i :C (〈[

∃

(n) :=>]〉

∃

(i) ∧ 〈[

∃

(n) :=>]〉φ(i))skip,skip 〈[

∃

(n) :=>]〉∃i :C (

∃

(i) ∧ φ(i))〈[

∃(n) :=>]〉∃i :C! φ(i)

Assuming

∃

() does not occur in the assignment f(~s) := θ, the rule νA is a derived proof rule:

〈[∀i :C!∪{n} f(~s) := θ]〉〈[

∃

(n) :=>]〉φ〈[∀i :C f(~s) := if i = n ∨

∃

(i) then θ else f(~s) fi]〉〈[

∃

(n) :=>]〉φ〈[∀i :C f(~s) := if (if i = n then> else

∃

(i) fi) then θ else f(~s) fi]〉〈[

∃

(n) :=>]〉φ[:=],〈:=〉 〈[

∃

(n) :=>]〉〈[∀i :C f(~s) := if

∃

(i) then θ else f(~s) fi]〉φ〈[

∃

(n) :=>]〉〈[∀i :C! f(~s) := θ]〉φ

If, instead,

∃

() does occur in f(~s) := θ, then there is a similar derived rule where ~s and θ are affectedaccordingly. Rule new is a derived rule by the definition of newC as a QHP from Section 5, using ex toshow existence of an n for 〈n := newC〉φ. �

A.2 Proofs for Simple Distributed Car Control

In the QdL calculus, we prove collision freedom for the simpler distributed car control system, i.e.,QdL formula (5) from Section 8, even in the presence of dynamic appearance of new cars on the road.The proof is shown in Fig. 4. It uses induction rule ind with invariant ∀i, j :C!M(i, j). We recall thefollowing abbreviations:

M(i, j) ≡ i 6= j →((x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)) ∨ (x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j))

)∀i :C! (x(i)′′ = a(i)) ≡ ∀i :C! (x(i)′ = v(i), v(i)′ = a(i))

18

We use the notation [[α]]φ as synonymous for [α]φ here just to have more readable bracket grouping.Figure 4 does not show the branch proving that the invariant ∀i, j :C!M(i, j) implies the postcondition∀i6=j :C! x(i)6=x(j), which is simple to show.

∗ by QEi∀ ,Mi,n , t≥0→StMi,ni∀ ,M(i, n), t≥0→StM(i, n)∀l. . . ,∀i :C!M(i, n), t≥0→StM(i, n)

∗ by QEi∀ Mi,j ,∀i :C!M(i, n), t≥0→StMi,ji∀ M(i, j),∀i :C!M(i, n), t≥0→StM(i, j)∀l∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→StM(i, j)

∧r ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→StM(i, n) ∧ StM(i, j)[:=] ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} St(i)]](M(i, n) ∧M(i, j))∀r ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} St(i)]]∀i, j :C! (M(i, n) ∧M(i, j))

∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} St(i)]](∀i :C!M(i, n) ∧M(n, n) ∧ ∀i, j :C!M(i, j) ∧ ∀j :C!M(n, j))ν∀ ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} St(i)]][

∃

(n) := 1]∀i, j :C!M(i, j)νA ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[

∃

(n) := 1][[∀i :C! St(i)]]∀i, j :C!M(i, j)∀r,→r ∀i, j :C!M(i, j),∀i :C!M(i, n)→[

∃

(n) := 1]∀t≥0 [[∀i :C! St(i)]]∀i, j :C!M(i, j)[′] ∀i, j :C!M(i, j),M(n, n),∀i :C!M(i, n)→[

∃

(n) := 1][[∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)ν∀,∧l∀i, j :C!M(i, j), [

∃

(n) := 1]∀i :C!M(i, n)→[

∃

(n) := 1][[∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)→r ∀i, j :C!M(i, j)→[

∃

(n) := 1](∀i :C!M(i, n)→ [[∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j))[?] ∃

(n) = 0,∀i, j :C!M(i, j)→[

∃

(n) := 1][[?∀i :C!M(i, n);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)new ∀i, j :C!M(i, j)→[n := newC][[?∀i :C!M(i, n);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)[;] ∀i, j :C!M(i, j)→[[n := newC; ?∀i :C!M(i, n);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)ind ∀i, j :C!M(i, j)→[[(n := newC; ?∀i :C!M(i, n); ∀i :C! (x(i)′′ = a(i)))

∗]]∀i6=j :C! x(i)6=x(j)

M(i, j) ≡ i 6= j →((x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)) ∨ (x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j))

)Mi,j ≡ if i = j then i 6= i→

((Xi < Xi ∧ Vi ≤ Vi ∧ Ai ≤ Ai) ∨ (Xi > Xi ∧ Vi ≥ Vi ∧ Ai ≥ Ai)

)else i 6= j →

((Xi < Xj ∧ Vi ≤ Vj ∧ Ai ≤ Aj) ∨ (Xi > Xj ∧ Vi ≥ Vj ∧ Ai ≥ Aj)

)fi

≡ i 6= j →((Xi < Xj ∧ Vi ≤ Vj ∧ Ai ≤ Aj) ∨ (Xi > Xj ∧ Vi ≥ Vj ∧ Ai ≥ Aj)

)St(i) ≡ x(i) := x(i) + v(i)t+

a(i)

2t2 ∧ v(i) := v(i) + a(i)t

StM(i, j) ≡ i 6= j →((x(i) + v(i)t+

a(i)

2t2 < x(j) + v(j)t+

a(j)

2t2 ∧ v(i) + a(i)t ≤ v(j) + a(j)t ∧ a(i) ≤ a(j))

∨ (x(i) + v(i)t+a(i)

2t2 > x(j) + v(j)t+

a(j)

2t2 ∧ v(i) + a(i)t ≥ v(j) + a(j)t ∧ a(i) ≥ a(j))

)StMi,j ≡ i 6= j →

((Xi + Vit+

Ai

2t2 < Xj + Vjt+

Aj

2t2 ∧ Vi + Ait ≤ Vj + Ajt ∧ Ai ≤ Aj)

∨ (Xi + Vit+Ai

2t2 > Xj + Vjt+

Aj

2t2 ∧ Vi + Ait ≥ Vj + Ajt ∧ Ai ≥ Aj)

)Figure 4: QdL proof for collision freedom in distributed car control.

DCCS Verification To save space in the car proof, we directly apply proof rules ∀r,→r after the newrule in Fig. 4. Furthermore, the top-most ν∀ rule application in Fig. 4 and its subsequent simplificationstep

(M(n, n) ∧ ∀i :C!M(i, n) ∧ ∀j :C!M(n, j) ∧ ∀i, j :C!M(i, j))ν∀ [

∃

(n) := 1]∀i, j :C!M(i, j)

19

is justified by

(M(n, n) ∧ ∀i :C!M(i, n) ∧ ∀j :C!M(n, j) ∧ ∀i, j :C!M(i, j))M(n, n) ∧ ∀j :C!M(n, j) ∧ ∀i :C! (M(i, n) ∧ ∀j :C!M(i, j))

ν∀ [

∃

(n) := 1]∀j :C!M(n, j) ∧ ∀i :C! [

∃

(n) := 1]∀j :C!M(i, j)ν∀ [

∃

(n) := 1]∀i :C! ∀j :C!M(i, j)

There,M(n, n) simplifies to true, because it assumes n 6= n. Likewise, ∀j :C!M(n, j) is subsumedby ∀i :C!M(i, n), becauseM(i, j) is equivalent toM(j, i).

A.3 Proofs for Advanced Distributed Car Control with Acceleration

In this section, we show a formal QdL proof of the QdL formula (6) for the advanced distributed carcontrol system. See Fig. 5 on page 21 for a proof of distributed car control in the presence of freeacceleration and braking, regulated only by the safety distances to other cars. The proof uses inductionrule ind with invariant ∀i, j :C!M(i, j). We use the notation [[α]]φ as synonymous for [α]φ here just tohave more readable bracket grouping.

The major difference of the distributed car dynamics considered on page 21 compared to Fig. 4 is thatthe operation ∀i :C! A(i) adjusts the respective accelerations a(i) of all cars i differently depending onthe distance to other cars. In particular, the cars do no longer have monotonically increasing velocitiesand accelerations. For each car i, however, maximum acceleration a(i) := a is only permitted whenthe safety distance is big enough, otherwise the car brakes by a(i) :=−b (for maximum accelerationconstant a ≥ 0 and maximum braking force b > 0).

The safety condition in A(i) for an acceleration choice of car i is that for cars j further down theroad (greater positions x(j) > x(i)), the distance x(j)− x(i) must be large enough so that car i cansafely accelerate for up to ε time units and still keep the safety distance to j in the future by appropriatebraking, in spite of the increased velocity. This safety distance depends on the respective velocitiesv(i) and v(j) as well as a, b, ε. Parameter ε is the maximum reaction time for reacting to situationchanges, which results from sensor polling frequencies, worst-case computation times, and latencies inactuator activation. Every control cycle is restricted to take at most ε time units by the evolution domainrestriction τ ≤ ε in the definition of the continuous dynamics that we abbreviate by ∀i :C! (x(i)′′ = a(i))as defined on page 21. The definition of the compatibility conditionM(i, j) is adapted correspondinglyto take into account that the cars may move with completely different accelerations, if only the safetydistances are compatible with the different velocities:

M(i, j) ≡ i 6= j →((x(i) < x(j) ∧ v(i)2 < v(j)2 + 2b(x(j)− x(i)) ∧ v(i) ≥ 0 ∧ v(j) ≥ 0)

∨ (x(i) > x(j) ∧ v(j)2 < v(i)2 + 2b(x(i)− x(j)) ∧ v(i) ≥ 0 ∧ v(j) ≥ 0))

In fact, any acceleration between −b and a could also be chosen safely in the acceleration case of A(i),which only makes the proof slightly more complicated.

A.4 Existence and Uniqueness

Existence/uniqueness of solutions by Picard-Lindelof / Cauchy-Lipschitz theorem [24, Theorem 10.VI]and by Peano theorem [24, Theorem 10.IX] carry over to case 2 of the the semantics ρ(α) in Section 4

20

∗ by QEi∀ ,Mi,n , t≥0→AStMi,ni∀ ,M(i, n), t≥0→AStM(i, n)∀l,∀i :C!M(i, n), t≥0→AStM(i, n)

∗ by QEi∀ Mi,j , , t≥0→AStMi,ji∀ M(i, j), , t≥0→AStM(i, j)∀l∀i, j :C!M(i, j), , t≥0→AStM(i, j)

∧r ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→AStM(i, n) ∧ AStM(i, j)[:=] ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} A(i)]][[∀i :C!∪{n} St(i)]](M(i, n) ∧M(i, j))∀r ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} A(i)]][[∀i :C!∪{n} St(i)]]∀i, j :C! (M(i, n) ∧M(i, j))

∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} A(i)]][[∀i :C!∪{n} St(i)]](∀i :C!M(i, n) ∧ ∀i, j :C!M(i, j))ν∀ ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} A(i)]][[∀i :C!∪{n} St(i)]][

∃

(n) := 1]∀i, j :C!M(i, j)νA ∀i, j :C!M(i, j),∀i :C!M(i, n), t≥0→[[∀i :C!∪{n} A(i)]][

∃

(n) := 1][[∀i :C! St(i)]]∀i, j :C!M(i, j)∀r,→r ∀i, j :C!M(i, j),∀i :C!M(i, n)→[[∀i :C!∪{n} A(i)]][

∃

(n) := 1]∀t≥0 [[∀i :C! St(i)]]∀i, j :C!M(i, j)[′] ∀i, j :C!M(i, j), ,∀i :C!M(i, n)→[[∀i :C!∪{n} A(i)]][

∃

(n) := 1][[∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)νA ∀i, j :C!M(i, j), ,∀i :C!M(i, n)→[

∃

(n) := 1]〈∀i :C! A(i)〉[[∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)[;] ∀i, j :C!M(i, j), ,∀i :C!M(i, n)→[

∃

(n) := 1][[∀i :C! A(i);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)ν∀,∧l∀i, j :C!M(i, j), [

∃

(n) := 1]∀i :C!M(i, n)→[

∃

(n) := 1][[∀i :C! A(i);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)→r ∀i, j :C!M(i, j)→[

∃

(n) := 1](∀i :C!M(i, n)→ [[∀i :C! A(i);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j))[?] ∃

(n) = 0,∀i, j :C!M(i, j)→[

∃

(n) := 1][[?∀i :C!M(i, n);∀i :C! A(i); ∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)new ∀i, j :C!M(i, j)→[n := newC][[?∀i :C!M(i, n);∀i :C! A(i);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)[;] ∀i, j :C!M(i, j)→[[n := newC; ?∀i :C!M(i, n);∀i :C! A(i);∀i :C! (x(i)′′ = a(i))]]∀i, j :C!M(i, j)ind ∀i, j :C!M(i, j)→[[(n := newC; ?∀i :C!M(i, n);∀i :C! A(i); ∀i :C! (x(i)′′ = a(i)))

∗]]∀i6=j :C! x(i)6=x(j)

∀i :C! (x(i)′′ = a(i)) ≡ τ := 0; ∀i :C! (x(i)′ = v(i), v(i)′ = a(i), τ ′ = 1 & v(i) ≥ 0 ∧ τ ≤ ε)

A(i) ≡ a(i) := if∀j :C

(x(j) > x(i)→ x(j) > x(i) +

v(i)2 − v(j)2

2b+(ab

+ 1)(a

2ε2 + εv(i)

))then aelse −b fi

M(i, j) ≡ i 6= j →((x(i) < x(j) ∧ v(i)2 < v(j)2 + 2b(x(j)− x(i)) ∧ v(i), v(j) ≥ 0)

∨ (x(i) > x(j) ∧ v(j)2 < v(i)2 + 2b(x(i)− x(j)) ∧ v(i), v(j) ≥ 0))

Mi,j ≡ if i = j then i 6= i→((Xi < Xi ∧ V2

i < V2i + 2b(Xi − Xi) ∧ Vi, Vi ≥ 0) ∨ (Xi > Xi ∧ V2

i < V2i + 2b(Xi − Xi) ∧ Vi, Vi ≥ 0)

)else i 6= j →

((Xi < Xj ∧ V2

i < V2j + 2b(Xj − Xi) ∧ Vi, Vj ≥ 0) ∨ (Xi > Xj ∧ V2

j < V2i + 2b(Xi − Xj) ∧ Vi, Vj ≥ 0)

)fi

≡ i 6= j →((Xi < Xj ∧ V2

i < V2j + 2b(Xj − Xi) ∧ Vi, Vj ≥ 0) ∨ (Xi > Xj ∧ V2

j < V2i + 2b(Xi − Xj) ∧ Vi, Vj ≥ 0)

)St(i) ≡ x(i) := x(i) + v(i)t+

a(i)

2t2 ∧ v(i) := v(i) + a(i)t

AStM(i, j) ≡ is defined as follows

i 6= j →(if ∀j :C!

((x(j) > x(i)→ x(j) > x(i) +

v(i)2 − v(j)2

2b+

(a

b+ 1

)(a

2ε2+ εv(i)

)))then

if ∀i :C!

((x(i) > x(j)→ x(i) > x(j) +

v(j)2 − v(i)2

2b+

(a

b+ 1

)(a

2ε2+ εv(j)

)))then

(x(i) + v(i)t +a

2t2

< x(j) + v(j)t +a

2t2 ∧ v(i) + atv(i)

2< v(j) + atv(j)

2+ 2b(x(j) + v(j)t +

a

2t2 − x(i) + v(i)t +

a

2t2) ∧ v(i) + atv(i), v(j) + atv(j) ≥ 0)

∨ (x(i) + v(i)t +a

2t2

> x(j) + v(j)t +a

2t2 ∧ v(j) + atv(j)

2< v(i) + atv(i)

2+ 2b(x(i) + v(i)t +

a

2t2 − x(j) + v(j)t +

a

2t2) ∧ v(i) + atv(i), v(j) + atv(j) ≥ 0)

)else

(x(i) + v(i)t +a

2t2

< x(j) + v(j)t +−b

2t2 ∧ v(i) + atv(i)

2< v(j) +−btv(j)

2+ 2b(x(j) + v(j)t +

−b

2t2 − x(i) + v(i)t +

a

2t2) ∧ v(i) + atv(i), v(j) +−btv(j) ≥ 0)

∨ (x(i) + v(i)t +a

2t2

> x(j) + v(j)t +−b

2t2 ∧ v(j) +−btv(j)

2< v(i) + atv(i)

2+ 2b(x(i) + v(i)t +

a

2t2 − x(j) + v(j)t +

−b

2t2) ∧ v(i) + atv(i), v(j) +−btv(j) ≥ 0)

)fielse

if ∀i :C!

((x(i) > x(j)→ x(i) > x(j) +

v(j)2 − v(i)2

2b+

(a

b+ 1

)(a

2ε2+ εv(j)

)))then

(x(i) + v(i)t +−b

2t2

< x(j) + v(j)t +a

2t2 ∧ v(i) +−btv(i)

2< v(j) + atv(j)

2+ 2b(x(j) + v(j)t +

a

2t2 − x(i) + v(i)t +

−b

2t2) ∧ v(i) +−btv(i), v(j) + atv(j) ≥ 0)

∨ (x(i) + v(i)t +a

2t2

> x(j) + v(j)t +a

2t2 ∧ v(j) + atv(j)

2< v(i) + atv(i)

2+ 2b(x(i) + v(i)t +

a

2t2 − x(j) + v(j)t +

a

2t2) ∧ v(i) + atv(i), v(j) + atv(j) ≥ 0)

)else

(x(i) + v(i)t +−b

2t2

< x(j) + v(j)t +−b

2t2 ∧ v(i) +−btv(i)

2< v(j) +−btv(j)

2+ 2b(x(j) + v(j)t +

−b

2t2 − x(i) + v(i)t +

−b

2t2) ∧ v(i) +−btv(i), v(j) +−btv(j) ≥ 0)

∨ (x(i) + v(i)t +a

2t2

> x(j) + v(j)t +−b

2t2 ∧ v(j) +−btv(j)

2< v(i) + atv(i)

2+ 2b(x(i) + v(i)t +

a

2t2 − x(j) + v(j)t +

−b

2t2) ∧ v(i) + atv(i), v(j) +−btv(j) ≥ 0)

)fifiAStMi,j ≡ similar instance

Figure 5: QdL proof for collision freedom in distributed car control with acceleration.21

if it only affects a finite subdomain of σ(C), because the quantifier then corresponds to a finite set ofclassical differential equations. (The number of differential equations may still change dynamically overtime, though, so that the quantified differential equation system cannot be replaced with an unquanti-fied differential equation system in the QHP). For infinite σ(C), the theorems carry over to schematic∀i :C f(i)′ = θ&χ, which give an (infinite) set of disconnected classical differential equations. In allthese cases, Picard-Lindelof’s theorem implies that the solution is unique, when terms are continuouslydifferentiable (on the open domain where divisors are non-zero). For general infinite-dimensional differ-ential equations see [3]. QdL is also compatible with temporal operators that refer to intermediate statesand nonterminating traces [19].

22

B Soundness and Relative Completeness Proof

In this section, we present a fully constructive proof of Theorem 1. First, we show that the QdL calculusis a sound axiomatization of QdL ([20]). Second, we prove that the QdL calculus is a complete axioma-tization relative to quantified differential equations: every valid QdL formula can be derived in the QdLcalculus from elementary properties of quantified differential equations (remainder of [20]).

In addition to the soundness proof, we present a relative completeness proofs for QdL. The basicstructure follows that of our relative completeness proof for unquantified differential dynamic logic forfixed-dimensional static hybrid systems in previous work [17]. Here we generalize the proof to QdL. Afundamental difference to previous work is that states can be characterized trivially in fixed-dimensionalstatic hybrid systems, but it is not obvious why a finite formula would be sufficient in varying dimen-sions. In (dynamic) distributed hybrid systems, we have to prove that there is a finite formula that cancharacterize and identify all states (see [20]). In fixed-dimensional static hybrid systems, states can becharacterized and identified trivially by a fixed vector of real numbers for each system variable. In QdL,instead, states are full first-order structures with interpretations of functions for all function symbols andthe ability to characterize semantic states in logic is no longer obvious. States are no longer assignmentsof real numbers to a finite number of variables. In QdL, states are first-order interpretations of functionsymbols.

As a basis for the relative completeness proof, we define FOQD as the first-order logic of quantifieddifferential equations, i.e., first-order real arithmetic augmented with formulas expressing properties ofquantified differential equations, that is, QdL formulas of the form [∀i :C f(~s)′ = θ&χ]F . Dually,〈∀i :C f(~s)′ = θ&χ〉F is expressible as ¬[∀i :C f(~s)′ = θ&χ]¬F . Now the relative completenessdirection of Theorem 1 corresponds to proving that for every valid QdL formula, there is a finite set ofvalid FOQD-formulas from which it can be derived in the QdL calculus. See Section 7 for a road mapof the proof. We give the full proof below.

Natural numbers are definable in FOQD by a simple corollary to a previous result [17, Theorem 2].Thus, we allow quantifiers over natural numbers like ∀x :N φ and ∃x :N φ and over integers ∀x :Z φ asabbreviations.

B.1 Soundness Proof

For one direction of the proof for Theorem 1, we have to show that the QdL calculus in Fig. 2 is, indeed,a sound axiomatization. An unsound calculus would not be very interesting, and, in particular, it wouldnot be sound and complete relative to quantified differential equations.

Theorem 2 (Soundness) The QdL calculus is sound: every QdL formula that can be proven is valid,i.e., true in all states.

Proof: The calculus is sound if each rule instance is sound. Some of the rules of the QdL calculus areeven locally sound, i.e., their conclusion is true at state σ if all its premisses are true in σ, which impliessoundness. The proofs for the propositional rules, and regular rules [;],〈;〉,[∪],〈∪〉,[?],〈?〉 are as usual. Werefer to previous work [17] for the soundness proofs for ∃r,∀l,∀r,∃l,i∃, which are slightly more involved.

23

i∀ i∀ is locally sound. Assume the premiss

σ |= QE(∀X, Y (if~s = ~t then Φ(X)→Ψ(X) else Φ(X)→Ψ(Y ) fi))

Since QE yields an equivalence, we can conclude

σ |= ∀X, Y (if~s = ~t then Φ(X)→Ψ(X) else Φ(X)→Ψ(Y ) fi)

This is equivalent to σ |= if~s = ~t then∀X (Φ(X)→Ψ(X)) else∀X, Y (Φ(X)→Ψ(Y )) fi, becausefresh variables X, Y do not occur in ~s or ~t. Then assume the antecedent of the conclusion is true,i.e., σ |= Φ(f(~s)). We conclude that the succedent of the conclusion is true, σ |= Ψ(f(~t)), bychoosing σ[[f(~s)]] for X and σ[[f(~t)]] for Y in the premiss. If σ |= ¬(~s = ~t) then σ |= Ψ(f(~t)) fol-lows directly from the premiss. If, otherwise, σ |= ~s = ~t, then σ |= Ψ(f(~t)) also follows, becausethe choice σ[[f(~s)]] for X is identical to the choice σ[[f(~t)]] for Y in the premiss. By admissibilityof substitutions, any variables occurring in terms ~s and ~t are free at all occurrences of f(~s) andf(~t), hence their value is the same in all occurrences.

〈:=〉 Rule 〈:=〉 is locally sound for injective ∀i :C f(~s) := θ, which we abbreviate as A. Injective Agive a deterministic transition. Assume the premiss

σ |= if∃i :C ~s = 〈A〉~u then∃i :C (~s = 〈A〉~u ∧ φ(θ)) elseφ(f(〈A〉~u)) fi

We have to show that σ |= φ(〈∀i :C f(~s) := θ〉f(~u)). First assume that, with a fresh variable z,φ(z) is a first-order formula without modalities or quantifiers. Let τ be the (unique) state with(σ, τ) ∈ ρ(∀i :C f(~s) := θ) = ρ(A). By renaming, we can assume the quantified variable i not tooccur anywhere else than in A. We write this occurrence constraint as i 6∈ ~u and i 6∈ φ(z).

– Suppose σ |= ∃i :C ~s = 〈A〉~u, then σ |= ∃i :C (~s = 〈A〉~u ∧ φ(θ)) by premiss. That is equiv-alent to: there is an e ∈ σ(C) with σei |= ~s = 〈A〉~u ∧ φ(θ). That means σei

dz |= φ(z) for

d := σei [[θ]] by the substitution lemma. This is equivalent to σdz |= φ(z), because i 6∈ φ(z), i.e.,i does not occur in φ(z), so that its value is irrelevant. We want to show that σdz |= φ(z) alsoholds for d = σ[[〈A〉f(~u)]], because this implies σ |= φ(〈A〉f(~u)) by the substitution lemma.Now

σ[[〈A〉f(~u)]] = τ [[f(~u)]] = τ(f)(τ [[~u]]

)= τ(f)

(σ[[〈A〉~u]]

) ∗= τ(f)

(σei [[~s]]

) ρ(A)= σei [[θ]] = d

Thus σ |= φ(〈A〉f(~u)). The equality marked ∗ holds, because the premiss implies σei |= ~s = 〈A〉~u,which yields

σei [[~s]] = σei [[〈A〉~u]]i 6∈~u= σ[[〈A〉~u]]

– Suppose σ |= ¬∃i :C ~s = 〈A〉~u, then σ |= φ(f(〈A〉~u)) by premiss. Thus

σdz |= φ(z)

for d := σ[[f(〈A〉~u)]] by the substitution lemma. We want to show that σdz |= φ(z) also holdsfor d = σ[[〈A〉f(~u)]], because this implies σ |= φ(〈A〉f(~u)) by the substitution lemma. Now

σ[[〈A〉f(~u)]] = τ [[f(~u)]] = τ(f)(τ [[~u]]

) ∗= σ(f)

(τ [[~u]]

)= σ(f)

(σ[[〈A〉~u]]

)= σ[[f(〈A〉~u)]] = d

24

The equality marked ∗ holds, because—by assumption σ |= ¬∃i :C ~s = 〈A〉~u—we know thatfor position τ [[~u]] = σ[[〈A〉~u]] there is no e ∈ σ(C) such that

σei [[~s]] = τ [[~u]] = σ[[〈A〉~u]]i 6∈~u= σei [[〈A〉~u]]

Thus A has no effect on the interpretation of f at position τ [[~u]] and σ and τ agree at thatposition.

In both cases, equivalence of premiss and conclusion can be established by following the equationsand equivalences backwards, which also gives a proof for the dual rule [:=]. For the case whereφ(z) contains modalities or quantifiers, the proof is accordingly using the substitution lemma andthe fact that the interpretation of the symbols occurring in 〈A〉f(~u) is not affected by the modalitiesand quantifiers in φ(z) (since all substitutions need to be admissible for QdL rules to be applicable).

skip Local soundness of rule skip for injective quantified assignments ∀i :C f(~s) := θ is a simple conse-quence of the fact that a quantified assignment to f cannot affect the evaluation of another operatorΥ 6= f , but only its arguments (assuming admissible substitutions).

ex The soundness of axiom ex (i.e., validity of the conclusion) is a simple consequence of the factthat we have assumed finite support for the createdness flag

∃

(·) and that domains are infinite.That is, there are only finitely many e ∈ σ(C) with σei |=

∃

(i) = 1, while domain σ(C) is infi-nite. Consequently, in every state σ, there always is a choice e for i that has not been created yet(σei |=

∃

(i) 6= 1).

〈′〉 Rule 〈′〉 is locally sound. Let y~s(t) be simultaneous solutions for the respective differential equa-tions with symbolic initial values f(~s). Let 〈∀i :C S(t)〉 denote the quantified assignment

〈∀i :C f(~s) := y~s(t)〉

Assume σ satisfies the premiss: σ |= ∃t≥0 (χ ∧ 〈∀i :C S(t)〉φ), with ∀0≤t≤t 〈∀i :C S(t)〉χ ab-

breviated as χ. By premiss, there is a real value r ≥ 0 such that σrt |= χ ∧ 〈∀i :C S(t)〉φ. Abbrevi-ate ∀i :C f(~s)′ = θ&χ byD. We have to show that σ |= 〈D〉φ. Equivalently, we show σrt |= 〈D〉φ,because t is a fresh variable that does not occur in D or φ. Let function ϕ : [0, r]→ S be definedsuch that (σ, ϕ(ζ)) ∈ ρ(S(t)) for all ζ ∈ [0, r]. By premiss, ϕ(0) is identical to σ and φ holdsat ϕ(r). Thus it only remains to be shown that ϕ respects the constraints for the flow function ϕ inthe definition of the semantics of ρ(D) in Section 4. In fact, ϕ obeys the continuity and differentia-bility properties required for well-definedness of time-derivatives by the corresponding propertiesof the solution y~s(t). Moreover, for any e ∈ σ(C), ϕ(ζ)ei [[f(~s)]] = σζt

e

i [[y~s(t)]] has a derivative ofvalue ϕ(ζ)ei [[θ]], because y~s is a solution of the quantified differential equation ∀i :C f(~s)′ = θ withcorresponding initial values σ(f(~s)). Further, it can be shown that the evolution invariant region χis respected along ϕ as follows: By premiss, σrt |= χ holds for the initial state σrt , thus ϕ(ζ) |= χfor all ζ ∈ [0, r]. Combining these results, we can conclude that ϕ is a witness for σ |= 〈D〉φ.The converse direction can be shown accordingly to prove equivalence and the dual rule [′] forquantified differential equations with unique solutions (see [20]). Without unique solutions, therule is a little more complicated, but still works: all parameters of all parametric solutions willneed to be quantified over in addition to time t≥0.

[:∗] Rules [:∗],〈:∗〉 are locally sound by a simple consequence of the fact that arbitrary nondeterministicassignment of θ for any j of type C to n is the same as corresponding quantification over C. The

25

semantics of [∀j :C n := θ] then is equivalent to universal quantification, that of 〈∀j :C n := θ〉 isequivalent to existential quantification.

〈〉gen Rules []gen,〈〉gen,ind,con are sound (but not locally sound) by a variation of the usual proofs [10].For 〈〉gen, let premiss φ→ψ be valid. Let the antecedent be true in a state: σ |= 〈α〉φ, i.e.,let (σ, τ) ∈ ρ(α) with τ |= φ. Hence, the premiss implies τ |= φ→ ψ, thus τ |= ψ, which im-plies σ |= 〈α〉ψ. The proof for []gen is accordingly.

ind Let premiss φ→[α]φ be valid and let the antecedent of the conclusion be true in σ, that is σ |= φ. Bypremiss, τ |= φ for all states τ with (σ, τ) ∈ ρ(α). We thus conclude σ |= φ→ [α∗]φ by inductionalong the series of states reached from σ by repeating α.

con Assume the antecedent is valid and the premiss holds in σ. By premiss, we have

τ |= v > 0 ∧ ϕ(v)→ 〈α〉ϕ(v − 1)

for all states τ . By antecedent, there is a d ∈ R such that σdv |= ϕ(v). Now, the proof is a well-founded induction on d. If d ≤ 0, we directly have σ |= 〈α∗〉∃v≤0ϕ(v) for zero repetitions. Oth-erwise, if d > 0, we have, by premiss, that

σdv |= v > 0 ∧ ϕ(v)→ 〈α〉ϕ(v − 1)

As v > 0 ∧ ϕ(v) holds true at σdv , we have for some τ with (σdv , τ) ∈ ρ(α) that τ |= ϕ(v − 1). Thus,τ d−1v |= ϕ(v) satisfies the induction hypothesis for a smaller d and a reachable τ , because (σ, τ) ∈ ρ(α)

as v does not occur in α. The induction is well-founded, because d decreases by 1 up to the basecase d ≤ 0.

�

B.2 Characterizing Real Godel Encodings

As the central device for constructing a FOQD formula that captures the effect of unboundedly manyrepetitive hybrid transitions and just uses finitely many real variables, we prove that a real version ofGodel encoding is definable in FOQD. That is, we give a FOQD formula that reversibly packs finitesequences of real values into a single real number.

Observe that a single differential equation system is not sufficient for defining these pairing functionsas their solutions are differentiable, yet, as a consequence of Morayne’s theorem [17, reference 43],there is no differentiable surjection R→ R2, nor to any part of R2 of positive measure. We show thatreal sequences can be encoded nevertheless by chaining the effects of solutions of multiple differentialequations and quantifiers.

Lemma 1 (R-Godel encoding) The formula at(Z, n, j, z), which holds iff Z is a real number that repre-sents a Godel encoding of a sequence of n real numbers with real value z at position j (for a position jwith 1 ≤ j ≤ n), is definable in FOQD. For a formula φ(z) we abbreviate ∃z (at(Z, n, j, z) ∧ φ(z))

by φ(Z(n)j ).

Proof: The proof is an immediate corollary to a result from previous work for a sublogic of QdL [17].�

26

B.3 First-order State Identification

The crucial step in the proof of Theorem 1 is the construction of QdL (in)variants that are strong enoughto characterize properties of repetition. In order to characterize QHP state transitions in QdL (in)variantsfor the completeness proof, we first need to find formulas that characterize/identify states. For finite-dimensional systems of a fixed dimension n, states can simply be characterized completely by the val-ues of all n real state variables. A particular state could be characterized uniquely by the formulax = 2 ∧ y = 0.5 ∧ z = −0.382, for example. As a trivial corollary to Lemma 1, states can then even becharacterized uniquely by one real number when using the R-Godel encoding. For infinite-dimensionalsystems, systems with changing dimension, or systems with a dynamics that depends on evolving in-terpretations of function symbols f(~s), the situation is more difficult. After all, a state of QdL is a fullfirst-order structure with functions as interpretations of function symbols, and these interpretations canchange from state to state. Furthermore, in order to navigate among states during the completeness proof,we need to be able to characterize the current first-order state, but also to recall a previously identifiedfirst-order state and express what holds true at this state.

We show that the first-order states reachable with QHP α from an initial state can be characterizeduniquely by real numbers, which can thus be quantified over. Furthermore, we show that this corre-spondence can be axiomatized in FOQD. One key observation is that the first-order interpretations canchange from state to state, but only according to the dynamics of the QHP Intuitively, the difference ofany reachable first-order state to the initial state can be characterized by a finite list of differences to theinitial state. Clearly this difference concerns only finitely many symbols occurring in α. It also concernsonly finitely many positions of their interpreted functions, because actualist quantified assignments andactualist quantified differential equations only change the interpretation of finitely many function sym-bols at finitely many positions (actual quantified domains C! occurring in actualist quantifiers of QHPsare finite). Note that it is crucial here that we have assumed the actual existence predicate

∃

(i) to havefinite support.

Lemma 2 (State identification) Let Σb be a finite set of function symbols containing

∃

(·). The opera-tors ↓ and @ , which identify and recall states reachable by QHPs, are definable in FOQD such that:

1. For every QHP α with BV(α) ⊆ Σb, every variable I 6∈ Σb of sort R, and every state σ, the formula↓ I is true in at most one of the states reachable by α from σ. That is, there is at most one state ιsuch that (σ, ι) ∈ ρ(α) and ι |= ↓ I.

2. For every QHP α with BV(α) ⊆ Σb, every variable I 6∈ Σb of sort R, every formula φ, and everystate σ, the formula @ Iφ is true in any state reachable by α from σ if and only if φ is true in the(unique) state that is reachable by α from σ in which ↓ I holds (provided such a state is reachableat all, otherwise the truth-value of @ Iφ is arbitrary). That is, suppose there is a state ι such that(σ, ι) ∈ ρ(α) and ι |= ↓ I (thus, by case 1, ι is unique with that property). Then for any state τwith (σ, τ) ∈ ρ(α), it is the case that τ |= @ Iφ if and only if ι |= φ. If, on the contrary, there is nostate ι with (σ, ι) ∈ ρ(α) and ι |= ↓ I, then this lemma makes no statement concerning the truth offormula @ Iφ at any state τ .

Proof: The formulas ↓ I and @ Iφ are like the here and at operators of hybrid-nominal logic. They can

27

be characterized by the following FOQD formulas:

θ = isf (I, ~o) ≡ if∃s :N (s < m ∧X(m)s = ~o) then∃s :N (s < m ∧X(m)

s = ~o ∧ θ = Y (m)s ) else θ = f(~o) fi

where I is split into the following abbreviations m := I(d)i

(3)1 , X := I

(d)i

(3)2 , Y := I

(d)i

(3)3

further d is the number of symbols in Σb and i is the index of f in Σb

↓ I ≡∧f∈Σb

∀~o :Sf f(~o) = isf (I, ~o) where Sf is the sort of the arguments of f

@ Iφ ≡ 〈∀i :C ∀u :R f(i)′ = u〉(φ ∧ ↓ I)

For defining ↓ I and @ Iφ, we use an auxiliary function isf (I, ~o) to improve readability. The defini-tions do not need recursion, so that we can consider occurrences of the defined notations as syntacticabbreviations for quantified variables satisfying the respective definitions (like for Lemma 1).

The function symbol isf (I, ~o) gives the value (θ) of function f at position ~o at the state characterizedby the real number denoted by I. It can be defined easily using the real pairing function from Lemma 1.The basic idea is to understand I via the real pairing function as a list of length m of position/valuepairs (X(m)

s /Y(m)s ), which characterize changes to the value f(~o) for each of the finitely many function

symbols f ∈ Σb. Using an arbitrary but fixed ordering, these function symbols f are identified withtheir index d in Σb. The most important insight for the proof is that, for every state reachable by αfrom σ, the list of changes of f compared to f(~o) at σ is always finite after finitely many transitions ofquantified state change with finite support (see end of Section 5). Consequently, the list of changes canalways be encoded by one (finite) real number according to Lemma 1. Using this auxiliary function, wecharacterize cases 1 and 2:

Case 1: The characterization for ↓ I is defined as a conjunction over all relevant function symbolsf ∈ Σb asserting that the value f(~o) of f at each position ~o of the sort Sf of f is identical to thecorresponding value isf (I, ~o) characterized by I.

Case 2: The characterization for @ Iφ uses a quantified differential equation with a variable u thatonly occurs on the right hand side and thus changes f at all positions i with an arbitrary slope u. The@ Iφ characterization then checks if the appropriate state characterized by I has been reached using ↓ Iand further expresses that φ holds at this state. By case 1, we know that ↓ I holds in at most one of thestates reachable by α from σ. In the quantified differential equation system for @ Iφ, the second quan-tified variable u amounts to nondeterministically specifying a slope u for each f(i). Unlike i, quantifiedvariable u only occurs on the right hand side of the quantified differential equation. Consequently, thesemantics (case 2 of the transition relation ρ(α) defined in Section 4) defines the states corresponding toall choices for u to be reachable. These respective choices for u include the choice that leads to the statecharacterized by ↓ I, e.g., by choosing slope u := isf (I, i)− f(i) for each i and evolving for 1 time unit.To simplify notation, we define @ Iφ only for Σb = {f}. The construction is repeated accordingly (bynesting modalities) for each f ∈ Σb, which are finitely many. The createdness flag

∃

(·) needs to be partof Σb for object creation to be taken care of. �

The rest of the proof follows similar principles to those in [17]. The full proof is beyond the scope ofthis report.

28